Kentor.AuthServices 0.18.1 Breaking Changes

Today we released Kentor.AuthServices 0.18.1. It contains a number of bug fixes, but also a couple of breaking changes to a mostly internal API and logout handling.

You are affected if…

  • you build a HttpRequestData yourself, instead of using a build in ToHttpRequestData() extension method.
  • you are using Single Logout and…
    • you have a ClaimsAuthenticationManager
    • you manually create a AuthServicesClaimTypes.LogoutNameIdentifier claim
    • you filter out claims that are persisted

Most users should not be affected, but if you match any of the above please read on.

HttpRequestData now contains User

The logout implementation in LogoutCommand needs to access the current user. It used to do that by access ClaimsPrincipal.Current. When working on the upcoming ASP.NET Core middleware we found out that ClaimsPrincipal.Current is not set in that environment. It is also an issue for anyone having a custom session handling that want to integrate with the low level API and call the command classes directly.

The existing extension methods ToHttpRequestData() have been updated to include the user. It is only if those are not used, or if a non standard session storage is used that this affects you.

Logout Name Identifier Handling

SAML2 is different to other federation protocols in that it includes the identity and session id of the logged in user session in the logout messages. This means that AuthServices needs to preserve the original name identifer, including some optional properties, and the session id. AuthServices used to do that by relying on the ClaimTypes.NameIdentifier claim with AuthServicesClaimTypes.NameIdentifier as a fallback if the original Name Identifier cannot be used in the application. From this release this has been changed and the ClaimTypes.NameIdentifier claim is now mandatory.

Using a ClaimsAuthenticationManager

If you have a ClaimsAuthenticationManager and are using single logout, you have to make sure that the AuthServicesClaimTypes.NameIdentifier and AuthServicesClaimTypes.SessionIndex is included in the returned identity.

Creating an AuthServicesClaimTypes.LogoutNameIdentifier

If you previously created an AuthServicesClaimTypes.LogoutNameIdentifier by copying the ClaimTypes.NameIdentifier claim you have to remove it. The AuthServicesClaimTypes.LogoutNameIdentifier now has a more complex format that you shouldn’t try to create yourself. Carry the one included in the original identity forward instead.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.